On 17/11/2015 17:11, sajolida wrote:
> Giorgio Maone:
> Now you've got the flexibility of choosing to pin the domain cert, the
> issuer's (CA's) cert or both.
> I've seen that in conf.json. Regarding the different kinds of pinning,
> how do you switch from trusting the cert to trusting the issuer or both?
> By adding and removing the corresponding information in the
> configuration file? Is it that any pinning available in the
> configuration file is trusted?
>
In the "pins" section, you can add as many "certs" and "issuers" entries
as you want, listing identifiers for domain certificates and their
issuers, respectively.
Whether they're actually used to verify a certain domain or not is
determined by the content of "pins" > "domains", though.
This section currently looks like this:
"domains": {
"tails.boum.org": {
"cert": null,
"issuer": "Gandi"
},
"maone.net": {
"cert": "maone.net",
"issuer": "COMODO"
}
}
For any entry in "domains", you can specify a reference to a "certs"
entry ("cert"), to an "issuers" entry ("issuer") or both.
In the example above, "tails.boum.org" is pinned on its issuer ("Gandi")
only (because "cert" is null, rather than "*.boum.org"), while the
"maone.net" domain is pinned both on the certificated referenced by the
"maone.net" key and to the "COMODO" issuer.
If I've not been clear enough, feel free to ask.
Cheers
--
Giorgio Maone
https://maone.net